Data verification apparatus

ABSTRACT

A data verification apparatus includes a storage, a management unit, and a verification unit. The storage includes a first storage and a second storage. The first storage stores first data and first status information. The second storage stores second data and second status information. The management unit controls a write process and updates the first status information and the second status information in response to the write process, the write process being a process of writing the first data to the first storage on a basis of data acquired by communication with an external apparatus, and thereafter writing the second data to the second storage on a basis of the data. The verification unit verifies, in a state in which the communication is disconnected, the first data and the second data on a basis of the first status information and the second status information.

CROSS-REFERENCE TO RELATED APPLICATIONS

The present application claims priority from Japanese Patent ApplicationNo. 2018-242136 filed on Dec. 26, 2018, the entire contents of which arehereby incorporated by reference.

BACKGROUND

The technology relates to a data verification apparatus that verifiesdata.

Vehicles such as automobiles are often equipped with nonvolatile storageapparatuses. The storage apparatus stores various data to be used in thevehicle. For example, Japanese Unexamined Patent Application PublicationNo. 2008-276663 discloses a data rewrite system that generates a rewriteinhibit command in a case where a rewrite command to a storage apparatusis confirmed to be invalid.

SUMMARY

An aspect of the technology provides a data verification apparatusincluding a storage, a management unit, and a verification unit. Thestorage includes a first storage and a second storage, the first storagebeing configured to store first data and first status information, thesecond storage being configured to store second data and second statusinformation. The management unit is configured to control a writeprocess and update the first status information and the second statusinformation in response to the write process, the write process being aprocess of writing the first data to the first storage on a basis ofdata acquired by communication with an external apparatus, andthereafter writing the second data to the second storage on a basis ofthe data. The verification unit is configured to verify, in a state inwhich the communication is disconnected, the first data and the seconddata on a basis of the first status information and the second statusinformation.

An aspect of the technology provides a data verification apparatusincluding a storage and circuitry. The storage includes a first storageand a second storage, the first storage being configured to store firstdata and first status information, the second storage being configuredto store second data and second status information. The circuitry isconfigured to control a write process and update the first statusinformation and the second status information in response to the writeprocess, the write process being a process of writing the first data tothe first storage on a basis of data acquired by communication with anexternal apparatus, and thereafter writing the second data to the secondstorage on a basis of the data. The circuitry is also configured toverify, in a state in which the communication is disconnected, the firstdata and the second data on a basis of the first status information andthe second status information.

BRIEF DESCRIPTION OF THE DRAWINGS

The accompanying drawings are included to provide a furtherunderstanding of the disclosure and are incorporated in and constitute apart of this specification. The drawings illustrate example embodimentsand, together with the specification, serve to explain the principles ofthe technology.

FIG. 1 is a block diagram illustrating a configuration example of acharging system according to one example embodiment of the technology.

FIG. 2 is an explanatory diagram illustrating an example of a datasection illustrated in FIG. 1.

FIG. 3 is an explanatory diagram illustrating an example of an updatedata section illustrated in FIG. 1.

FIG. 4A is a flowchart illustrating an operation example of a vehicleillustrated in FIG. 1.

FIG. 4B is another flowchart illustrating an operation example of thevehicle illustrated in FIG. 1.

FIG. 5A is another flowchart illustrating an operation example of thevehicle illustrated in FIG. 1.

FIG. 5B is another flowchart illustrating an operation example of thevehicle illustrated in FIG. 1.

FIG. 6A is a table illustrating an operation example of the vehicleillustrated in FIG. 1.

FIG. 6B is another table illustrating an operation example of thevehicle illustrated in FIG. 1.

FIG. 7A is another table illustrating an operation example of thevehicle illustrated in FIG. 1.

FIG. 7B is another table illustrating an operation example of thevehicle illustrated in FIG. 1.

DETAILED DESCRIPTION

In the following, some example embodiments of the technology aredescribed with reference to the accompanying drawings. Note that thefollowing description is directed to illustrative examples of thedisclosure and not to be construed as limiting to the technology. Ineach of the drawings referred to in the following description, elementshave different scales in order to illustrate the respective elementswith sizes recognizable in the drawings. Therefore, factors including,without limitation, the number of each of the elements, the shape ofeach of the elements, a size of each of the elements, a ratio betweenthe elements, and relative positional relationship between the elementsare illustrative only and not to be construed as limiting to thetechnology. Further, elements in the following example embodiments whichare not recited in a most-generic independent claim of the disclosureare optional and may be provided on an as-needed basis. Throughout thepresent specification and the drawings, elements having substantiallythe same function and configuration are denoted with the same numeralsto avoid any redundant description.

It is generally desired that data stored in a storage apparatus havehigh reliability, and a further improvement in reliability is expected.

It is desirable to provide a data verification apparatus that makes itpossible to improve reliability of data.

Example Embodiment Configuration Example

FIG. 1 illustrates a configuration example of a charging system 1 towhich a data verification apparatus according to an example embodimentis applicable. The charging system 1 may include a vehicle 10, acharging station 30, a management apparatus 40, and a server 50.

The vehicle 10 may be, for example, an electric vehicle. In a case ofintending to charge a battery 14 of the vehicle 10, a driver (user) ofthe vehicle 10 may move the vehicle 10 to the charging station 30, andcouple the vehicle 10 to the charging station 30 with a cable. Thecharging station 30 may communicate with the vehicle 10 via the cable,and perform authentication on the basis of certificate data DT stored inthe vehicle 10. In a case where the authentication succeeds, thecharging station 30 may supply electric power to the battery 14 of thevehicle 10. By using a user information database 52, the server 50 mayspecify information necessary for accounting, and perform the accountingon the user on the basis of the information. The information maycorrespond to a user identifier UID included in the certificate data DT.The battery 14, the user information database 52, and the useridentifier UID will be described later.

The certificate data DT stored in the vehicle 10 may be updated atregular time intervals, for example. In this example, the vehicle 10 mayacquire new certificate data DT from the charging station 30 bycommunicating with the charging station 30 via the cable, and update thecertificate data DT stored in the vehicle 10 with the new certificatedata DT. In updating the certificate data DT, a write error can occur inthe vehicle 10, for example. In this case, it is possible for thevehicle 10 to re-update the certificate data DT by, for example,communicating with the charging station 30.

In some cases, a malfunction of a component of the vehicle 10, forexample, can cause an error to occur in the certificate data DT. Thereis also a possibility that a malicious person tampers with thecertificate data DT. The vehicle 10 may determine that a componentmalfunction or data tampering has occurred, on the basis of statusinformation and the certificate data DT that are stored in the vehicle10, and rewrite the status information. The status information mayinclude a data status STD and an update status STU to be describedlater. In this case, the vehicle 10 may enter a locked state. The lockedstate may be a state in which the vehicle 10 is not supplied withelectric power from the charging station 30, and does not update thecertificate data DT upon communicating with the charging station 30. Insuch a case, the user may bring the vehicle 10 to a dealer, for example.In a case of a component malfunction, the dealer may replace thecomponent. In addition, the management apparatus 40 managed by thedealer may communicate with the vehicle 10 to forcibly update thecertificate data DT stored in the vehicle 10 and reset the statusinformation. In a case of data tampering, the management apparatus 40managed by the dealer may communicate with the vehicle 10 to forciblyupdate the certificate data DT stored in the vehicle 10 and reset thestatus information. Thus, even in a case where the vehicle 10 is in thelocked state, it is possible for the management apparatus 40 to forciblywrite certificate data DT to the vehicle 10, thereby unlocking thevehicle 10.

The vehicle 10 may include a gateway 11, a security controller 20, adisplay 13, the battery 14, an inverter 15, and a motor 16.

The gateway 11 may include relays 11A and 11B. The relay 11A may relaycommunication between the security controller 20 and the chargingstation 30. The security controller 20 and the charging station 30 maybe coupled to each other with a cable, for example, to performcommunication using Transport Layer Security (TLS). The relay 11B mayrelay communication between the security controller 20 and themanagement apparatus 40. The security controller 20 and the managementapparatus 40 may be coupled to each other with a cable, for example, toperform security communication using a dedicated standard, for example.

The security controller 20 may include, for example, a securityelectronic control unit (ECU). The security ECU may include one or moresemiconductor chips, for example. The security controller 20 may includea communicator 21, a section management unit 22, a storage 23, a powersupply monitoring unit 24, and a monitoring unit 25.

In a case where the vehicle 10 is coupled to the charging station 30,the communicator 21 may communicate with the charging station 30 via therelay 11A of the gateway 11. In a case where the vehicle 10 is coupledto the management apparatus 40, the communicator 21 may communicate withthe management apparatus 40 via the relay 11B of the gateway 11.

The section management unit 22 may manage a data section SECD and anupdate data section SECU of the storage 23, by managing a process ofwriting data to the storage 23 and a process of reading data from thestorage 23.

The storage 23 may include, for example, a nonvolatile memory such as aflash memory. The storage 23 may include a firewall FW, the data sectionSECD, and the update data section SECU.

The firewall FW may monitor communication with the section managementunit 22, and prevent undesired communication in order to protect datastored in the storage 23.

The data section SECD may be a memory region that stores various data tobe used in the vehicle 10.

FIG. 2 illustrates an example of the data section SECD. The data sectionSECD may store a plurality of data sets DS including data sets DS1, DS2,etc. Certificate data DT may be stored in any one of the data sets DS(in this example, a first data set DS1). The data set DS1 may include adata status STD, a data number ND, the certificate data DT (certificatedata DTD), and a SUM value. For convenience of description, thecertificate data DT stored in the data section SECD is also referred toas certificate data DTD.

The data status STD may include information about a status of the writeprocess performed by the security controller 20. In this example, it ispossible to set the data status STD to “normal”, “to be updated”, or“tampered with”, for example, as will be described later.

The data number ND may be a number that identifies the data set DS1among the data sets DS stored in the data section SECD. The data numberND may correspond to an address that indicates a memory region storingthe data set DS1 in the data section SECD.

The certificate data DTD may be an encrypted digital certificate. Thecertificate data DTD may include information about, for example, anidentifier (vehicle identifier VID) that enables the vehicle 10 to beidentified or an identifier (user identifier UID) that enables the userto be identified.

The SUM value may be a code value of an error detecting code. In thisexample, the SUM value may be calculated on the basis of the data statusSTD, the data number ND, and the certificate data DTD included in thedata set DS1. By using the SUM value, the security controller 20 is ableto verify presence or absence of a data error in the data set DS1.

Although the SUM value is used in this example, what is used forverification is not limited. Instead of the SUM value, mirror data ofthe data status STD, the data number ND, and the certificate data DTDmay be used, for example. In this case, the security controller 20 isable to detect a place of a data error, for example, in addition topresence or absence of a data error.

The update data section SECU (FIG. 1) may be a memory region thattemporarily stores new certificate data DT to be stored in the datasection SECD, for example, before updating the certificate data DTstored in the data section SECD. In other words, in updating thecertificate data DT, the security controller 20 may first writecertificate data DT to the update data section SECU, and thereafterwrite the certificate data DT to the data section SECD.

FIG. 3 illustrates an example of the update data section SECU. In thisexample, data stored in the update data section SECU may include anupdate status STU, a data number NU, certificate data DT (certificatedata DTU), and a SUM value. For convenience of description, thecertificate data DT stored in the update data section SECU is alsoreferred to as certificate data DTU.

The update status STU may include information about a status of thewrite process performed by the security controller 20. In this example,it is possible to set the update status STU to “updating”, “beingrewritten”, or “unassigned”, for example, as will be described later.

The data number NU may be a data number ND of a data set in the datasection SECD, to which data of the update data section SECU is to bewritten. The data set may be the data set DS1 in this example. In a caseof storing the certificate data DT in a data set DS2 in the data sectionSECD, for example, the data number NU of the update data section SECUmay be a data number ND included in the data set DS2.

The certificate data DTU may be an encrypted digital certificate to bewritten to the data section SECD as the certificate data DTD.

The SUM value may be a code value of an error detecting code. The SUMvalue may be calculated on the basis of the update status STU, the datanumber NU, and the certificate data DTU. By using the SUM value, thesecurity controller 20 is able to verify presence or absence of a dataerror in data stored in the update data section SECU.

Although the SUM value is used in this example, what is used forverification is not limited. Instead of the SUM value, mirror data ofthe data status STU, the data number NU, and the certificate data DTUmay be used, for example. In this case, the security controller 20 isable to detect a place of a data error, for example, in addition topresence or absence of a data error.

In the security controller 20 with this configuration, the sectionmanagement unit 22 may read the certificate data DT (certificate dataDTD) from the data section SECD of the storage 23 on the basis of, forexample, a read request from the charging station 30. The communicator21 may transmit the read certificate data DT to the charging station 30via the relay 11A. In addition, for example, in a case where newcertificate data DT for update that is transmitted from the chargingstation 30 is received, the section management unit 22 first writes thenew certificate data DT to the update data section SECU as thecertificate data DTU. Thereafter, the section management unit 22 writesthe new certificate data DT to the data section SECD as the certificatedata DTD. In addition, in response to the write process, the sectionmanagement unit 22 writes the update status STU to the update datasection SECU, and writes the data status STD to the data section SECD.

The power supply monitoring unit 24 may monitor a power supply voltagethat is to be supplied to the security controller 20. In a case whereelectric power supply stops and thereafter recovers, the power supplymonitoring unit 24 may supply, to the monitoring unit 25, informationabout the stop of the electric power supply.

The monitoring unit 25 may monitor the data stored in the storage 23.Each time the vehicle 10 starts up, for example, the monitoring unit 25may check whether the write process performed by the security controller20 has been interrupted, on the basis of the update status STU and thedata status STD stored in the storage 23. In a case where the writeprocess has been interrupted, the monitoring unit 25 may check at whichstage the interruption has occurred, and determine whether a componentmalfunction or data tampering has occurred or a data write error hasoccurred. The determination may be made on the basis of a result of thecheck, and the certificate data DTU and the certificate data DTD storedin the storage 23. The monitoring unit 25 may also determine a cause ofthe interruption of the write process, on the basis of informationsupplied from the power supply monitoring unit 24.

The display 13 may be provided on, for example, an instrument panel, andmay include a liquid crystal display, for example. The display 13 maynotify the user of information about data tampering or a data writeerror, for example, on the basis of an instruction from the monitoringunit 25.

The battery 14 may store electric power, and supply direct currentelectric power to the inverter 15. The battery 14 may be able to storeelectric power supplied from the charging station 30. The inverter 15may generate alternating current electric power on the basis of thedirect current electric power supplied from the battery 14, and supplythe generated alternating current electric power to the motor 16. Themotor 16 may be a power source that generates mechanical energy on thebasis of the alternating current electric power supplied from theinverter 15. The mechanical energy may serve as driving force.Accordingly, the vehicle 10 is able to travel on the basis of thedriving force of the motor.

The charging station 30 (FIG. 1) may be able to supply electric power tothe battery 14 of the vehicle 10. The charging station 30 may be managedby, for example, a business operator that conducts charging business.Although this example takes a charging station as an example, theexample is not limitative. Instead of a charging station, an apparatusthat is able to supply electric power to home by Vehicle to Home (V2H)may be used for example. The charging station 30 may include anauthentication unit 31, a power feed unit 32, and a certificate updateunit 33.

The authentication unit 31 may perform authentication, on the basis ofthe certificate data DT acquired from the vehicle 10. In one example,the authentication unit 31 may perform the authentication by makinginquiry to the user information database 52 of the server 50, on thebasis of the certificate data DT acquired from the vehicle 10. The userinformation database 52 will be described later.

In a case where the authentication performed by the authentication unit31 succeeds, the power feed unit 32 may supply electric power to thebattery 14 of the vehicle 10. The charging station 30 may supply, to theserver 50, information about the user identifier UID included in thecertificate data DT, and information about an amount of the electricpower supplied to the battery 14.

The certificate update unit 33 may update the certificate data DT of thevehicle 10. In one example, the certificate update unit 33 may updatethe certificate data DT of the vehicle 10 by writing new certificatedata DT generated and transmitted by the server 50 to the storage 23 ofthe vehicle 10.

The management apparatus 40 may be managed by, for example, a dealer.The management apparatus 40 may include a certificate update unit 41.Like the certificate update unit 33 of the charging station 30, thecertificate update unit 41 may update the certificate data DT. Themanagement apparatus 40 may forcibly write new certificate data DT tothe storage 23 of the vehicle 10.

The server 50 may include a certificate generator 51, the userinformation database 52, and an accounting processor 53.

The certificate generator 51 may generate the certificate data DT of thevehicle 10, on the basis of a request from the charging station 30 orthe management apparatus 40. The server 50 may transmit the certificatedata DT generated by the certificate generator 51 to the chargingstation 30 or the management apparatus 40 that has made the request.

The user information database 52 may manage, for example, the vehicleidentifier VID, the user identifier UID, and information that isnecessary for accounting on the user corresponding to the useridentifier UID, in association with one another. The informationnecessary for the accounting may be, for example, credit cardinformation or bank account information.

The accounting processor 53 may perform the accounting on the basis ofthe information about the user identifier UID and the information aboutthe amount of supplied electric power, which are transmitted from thecharging station 30. In one example, by using the user informationdatabase 52, the accounting processor 53 may specify information that isnecessary for accounting on the user corresponding to the useridentifier UID, on the basis of the user identifier UID transmitted fromthe charging station 30. The accounting processor 53 may calculate anamount of money on the basis of the information about the amount ofsupplied electric power, which is transmitted from the charging station30, and perform the accounting on the basis of the calculated amount ofmoney and the specified information necessary for the accounting.

In one embodiment, the security controller 20 may serve as a “dataverification apparatus”. In one embodiment, the storage 23 may serve asa “storage”. In one embodiment, the update data section SECU may serveas a “first storage”. In one embodiment, the data section SECD may serveas a “second storage”. In one embodiment, the section management unit 22may serve as a “management unit”. In one embodiment, the monitoring unit25 may serve as a “verification unit”.

Operations and Workings

Now, description will be given on operations and workings of thecharging system 1 of the example embodiment.

(Outline of Overall Operation)

First, an outline of overall operation of the charging system 1 will bedescribed with reference to FIG. 1. In a case of intending to charge thebattery 14 of the vehicle 10, the driver (user) of the vehicle 10 maymove the vehicle 10 to the charging station 30, and couple the vehicle10 to the charging station 30 with a cable. By communicating with thevehicle 10 via the cable, the charging station 30 may read thecertificate data DT (certificate data DTD) stored in the data sectionSECD of the storage 23. On the basis of the read certificate data DT,the authentication unit 31 of the charging station 30 may performauthentication by making inquiry to the user information database 52 ofthe server 50. In a case where the authentication succeeds, the powerfeed unit 32 may supply electric power to the battery 14 of the vehicle10. The charging station 30 may transmit, to the server 50, informationabout the user identifier UID included in the certificate data DT, andinformation about an amount of the electric power supplied to thebattery 14. The accounting processor 53 of the server 50 may performaccounting, on the basis of the information about the user identifierUID and the information about the amount of supplied electric power, byusing the user information database 52.

In addition, the vehicle 10 may acquire new certificate data DT from thecharging station 30 by communicating with the charging station 30 viathe cable, and update the certificate data DT stored in the vehicle 10with the new certificate data DT. The section management unit 22 maymanage the data section SECD and the update data section SECU of thestorage 23, by managing the process of writing data to the storage 23and the process of reading data from the storage 23. The sectionmanagement unit 22 may first write the acquired new certificate data DTto the update data section SECU as the certificate data DTU, andthereafter write the new certificate data DT to the data section SECD asthe certificate data DTD. In addition, in response to the write process,the section management unit 22 may write the update status STU to theupdate data section SECU, and write the data status STD to the datasection SECD.

The monitoring unit 25 may monitor the data stored in the storage 23 Thedisplay 13 may notify the user of information about data tampering or adata write error, for example, on the basis of an instruction from themonitoring unit 25.

(Update of Certificate Data DT)

FIGS. 4A and 4B illustrate operation of the vehicle 10 in updating thecertificate data DT. The section management unit 22 of the vehicle 10may write new certificate data DT acquired from the charging station 30to the update data section SECU as the certificate data DTU, andthereafter write the new certificate data DT to the data section SECD asthe certificate data DTD. In addition, in response to the write process,the section management unit 22 may write the update status STU to theupdate data section SECU, and write the data status STD to the datasection SECD. This operation is described in detail below.

First, the communicator 21 of the security controller 20 may receive newcertificate data DT transmitted from the charging station 30 (stepS101).

Thereafter, the section management unit 22 may check a data set DS to beupdated in the data section SECD (step S102). In this example,certificate data DT (certificate data DTD) may be stored in the firstdata set DS1, as illustrated in FIG. 2. The section management unit 22may therefore confirm that the data set DS to be updated is the firstdata set DS1.

Thereafter, the section management unit 22 may check whether the SUMvalue in the data set DS to be updated is normal (step S103). In thisexample, the section management unit 22 may calculate a SUM value on thebasis of the data status STD, the data number ND, and the certificatedata DTD included in the first data set DS1. In a case where thecalculated SUM value matches the SUM value included in the data set DS1,the section management unit 22 may determine that the SUM value isnormal.

In a case where the SUM value is abnormal in step S103 (“N” in stepS103), the section management unit 22 may write a data status STDindicating “tampered with” to the data section SECD, thereby setting thedata status STD to “tampered with” (step S104). In other words, in thiscase, a data error has occurred in the certificate data DT (certificatedata DTD) in the data section SECD. Accordingly, the section managementunit 22 may determine that it is likely that a component hasmalfunctioned or data has been tampered with, and set the data statusSTD to “tampered with”.

The monitoring unit 25 may confirm that the data status STD is “tamperedwith”, and the display 13 may display that a component malfunction ordata tampering has occurred, on the basis of an instruction from themonitoring unit 25 (step S105).

The communicator 21 may notify the charging station 30 that a componentmalfunction or data tampering has occurred, on the basis of aninstruction from the section management unit 22 (step S106).

In a case where the data status STD is “tampered with” as describedabove, the vehicle 10 may enter the locked state. Thereafter, thecharging station 30 may be unable to update the certificate data DT ofthe vehicle 10, and may be unable to charge the battery 14 of thevehicle 10. In this case, the user may bring the vehicle 10 to a dealer,for example. In a case of a component malfunction, the dealer mayreplace the component. In addition, the management apparatus 40 maycommunicate with the vehicle 10 to update the certificate data DT storedin the vehicle 10 and reset the data status STD. In a case of datatampering, the management apparatus 40 managed by the dealer maycommunicate with the vehicle 10 to forcibly write certificate data DT tothe vehicle 10 and reset the data status STD. In this manner, it ispossible for the management apparatus 40 to unlock the vehicle 10.

In a case where the SUM value is normal in step S103 (“Y” in step S103),the section management unit 22 may write an update status STU indicating“being rewritten” to the update data section SECU, thereby setting theupdate status STU to “being rewritten” (step S107).

Thereafter, the section management unit 22 may write the new certificatedata DT received by the communicator 21 in step S101 to the update datasection SECU as the certificate data DTU (step S108).

Thereafter, the section management unit 22 may calculate a SUM value onthe basis of the certificate data DTU written to the update data sectionSECU, and write the SUM value to the update data section SECU (stepS109). In one example, it is possible for the section management unit 22to read the certificate data DTU written to the update data section SECUin step S108, and calculate the SUM value on the basis of the readcertificate data DTU. This example is not limitative. Alternatively, abuffer memory (not illustrated) may, for example, temporarily store thecertificate data DT received by the communicator 21 in step S101. Thesection management unit 22 may calculate the SUM value on the basis ofthe certificate data DT stored in the buffer memory, and write the SUMvalue to the update data section SECU.

Thereafter, the section management unit 22 may write an update statusSTU indicating “updating” to the update data section SECU, therebysetting the update status STU to “updating” (step S110).

Thereafter, the section management unit 22 may write a data status STDindicating “to be updated”, to the data section SECD, thereby settingthe data status STD to “to be updated” (step S111).

Thereafter, the section management unit 22 may perform updating, i.e.,updating data of the data section SECD on the basis of the update datasection SECU (step S112). In one example, the section management unit 22may read the data number NU and the certificate data DT (certificatedata DTU) stored in the update data section SECU, and write the readcertificate data DT, as the certificate data DTD, to a data set DS inthe data section SECD. The data set DS may correspond to the read datanumber NU, and may be the first data set DS1 in this example. Inaddition, the section management unit 22 may read the SUM value storedin the update data section SECU, and write the read SUM value to thedata set DS (in this example, the data set DS1).

Thereafter, the section management unit 22 may check whether the data ofthe data section SECD and the data of the update data section SECU matcheach other (step S113). In one example, the section management unit 22may check whether the data number ND, the certificate data DTD, and theSUM value of the data set DS in the data section SECD and the datanumber NU, the certificate data DTU, and the SUM value of the updatedata section SECU respectively match each other. The data set DS maystore the certificate data DT, and may be the first data set DS1 in thisexample.

In a case where the data of the data section SECD and the data of theupdate data section SECU match each other in step S113 (“Y” in stepS113), the section management unit 22 may write a data status STDindicating “normal” to the data section SECD, thereby setting the datastatus STD to “normal” (step S114).

Thereafter, the section management unit 22 may write an update statusSTU indicating “unassigned” to the update data section SECU, therebysetting the update status STU to “unassigned” (step S115).

Thereafter, the monitoring unit 25 may confirm that the data status STDis “normal” and the update status STU is “unassigned”, and the display13 may display that the update of the certificate data DT has beencompleted normally, on the basis of an instruction from the monitoringunit 25 (step S116).

The communicator 21 may notify the charging station 30 that the updateof the certificate data DT has been completed normally, on the basis ofan instruction from the section management unit 22 (step S117).

In a case where the data of the data section SECD and the data of theupdate data section SECU do not match each other in step S113 (“N” instep S113), the section management unit 22 may keep the data status STDof the data section SECD at “to be updated” (step S118). Thereafter, asin step S112, the section management unit 22 may perform again theupdating, i.e., updating the data of the data section SECD on the basisof the update data section SECU (step S119). Thereafter, as in stepS113, the section management unit 22 may check whether the data of thedata section SECD and the data of the update data section SECU matcheach other (step S120). In a case where the data of the data sectionSECD and the data of the update data section SECU match each other instep S120 (“Y” in step S120), the operation may go to step S114. In acase where the data of the data section SECD and the data of the updatedata section SECU do not match each other (“N” in step S120), steps S119and S120 may be repeated a predetermined number of times.

In a case where the number of times of repetition reaches thepredetermined number of times (“Y” in step S121), the monitoring unit 25may confirm that the data status STD is “to be updated” and the updatestatus STU is “updating”, and the display 13 may display that a writeerror has occurred, on the basis of an instruction from the monitoringunit 25 (step S122).

The communicator 21 may notify the charging station 30 that a writeerror has occurred, on the basis of an instruction from the sectionmanagement unit 22 (step S123).

This may be the end of this flow.

In one embodiment, the certificate data DTU may serve as “first data”.In one embodiment, the update status STU may serve as “first statusinformation”. In one embodiment, “being rewritten” of the update statusSTU may serve as a “first status”. In one embodiment, “updating” of theupdate status STU may serve as a “second status”. In one embodiment,“unassigned” of the update status STU may serve as a “third status”. Inone embodiment, the certificate data DTD may serve as “second data”. Inone embodiment, the data status STD may serve as “second statusinformation”. In one embodiment, “tampered with” of the data status STDmay serve as a “fourth status”. In one embodiment, “to be updated” ofthe data status STD may serve as a “fifth status”. In one embodiment,“normal” of the data status STD may serve as a “sixth status”.

(Operation of Charging Battery 14)

FIGS. 5A and 5B illustrate operation of the vehicle 10 in charging thebattery 14 by using the certificate data DT. The section management unit22 of the vehicle 10 may read, from the data section SECD, a data set DSincluding certificate data DT (certificate data DTD), and determinewhether the certificate data DT is normal on the basis of the data setDS. In a case where the certificate data DT is normal, the chargingstation 30 may charge the battery 14 of the vehicle 10. This operationis described in detail below.

First, the section management unit 22 may read a data set DS includingcertificate data DT (certificate data DTD) from the data section SECD(step S131). In this example, the first data set DS1 may include thecertificate data DT. The section management unit 22 may therefore readthe first data set DS1.

Thereafter, the section management unit 22 may check whether the datastatus STD included in the read data set DS is “tampered with” (stepS132).

In a case where the data status STD is “tampered with” in step S132 (“Y”in step S132), the monitoring unit 25 may confirm that, the data statusSTD is “tampered with”, and the display 13 may display that a componentmalfunction or data tampering has occurred, on the basis of aninstruction from the monitoring unit 25 (step S133).

Thereafter, as in step S106, the communicator 21 may notify the chargingstation 30 that a component malfunction or data tampering has occurred,on the basis of an instruction from the section management unit 22 (stepS134). In this case, the charging station 30 may refrain from supplyingelectric power to the battery 14 of the vehicle 10.

In a case where the data status STD is not “tampered with” in step S132(“N” in step S132), the section management unit 22 may check whether thedata status STD is “to be updated” (step S135).

In a case where the data status STD is “to be updated” in step S135 (“Y”in step S135), the section management unit 22 may keep the data statusSTD of the data section SECD at “to be updated” (step S136). Thereafter,the section management unit 22 may perform again the updating, i.e.,updating the data of the data section SECD on the basis of the updatedata section SECU (step S137). Thereafter, the section management unit22 may check whether the data of the data section SECD and the data ofthe update data section SECU match each other (step S138). In a casewhere the data of the data section SECD and the data of the update datasection SECU match each other in step S138 (“Y” in step S138), theoperation may go to step S142. In a case where the data of the datasection SECD and the data of the update data section SECU do not matcheach other (“N” in step S138), steps S137 and S138 may be repeated apredetermined number of times.

In a case where the number of times of repetition reaches thepredetermined number of times (“Y” in step S139), the monitoring unit 25may confirm that the data status STD is “to be updated”, and the display13 may display that a write error has occurred, on the basis of aninstruction from the monitoring unit 25 (step S140).

The communicator 21 may notify the charging station 30 that a writeerror has occurred, on the basis of an instruction from the sectionmanagement unit 22 (step S141). In this case, the charging station 30may refrain from supplying electric power to the battery 14 of thevehicle 10.

In a case where the data status STD is not “to be updated” in step S135(“N” in step S135), the section management unit 22 may check whether theSUM value of the data set DS read in step S131 is normal (step S142). Inthis example, the section management unit 22 may calculate a SUM valueon the basis of the data status STD, the data number ND, and thecertificate data DTD included in the first data set DS1. In a case wherethe calculated SUM value matches the SUM value included in the data setDS1, the section management unit 22 may determine that the SUM value isnormal.

In a case where the SUM value of the data set DS is abnormal in stepS142 (“N” in step S142), the section management unit 22 may write a datastatus STD indicating “tampered with” to the data section SECD, therebysetting the data status STD to “tampered with” (step S143).

The monitoring unit 25 may confirm that the data status STD is “tamperedwith”, and the display 13 may display that a component malfunction ordata tampering has occurred, on the basis of an instruction from themonitoring unit 25 (step S144).

The communicator 21 may notify the charging station 30 that a componentmalfunction or data tampering has occurred, on the basis of aninstruction from the section management unit 22 (step S145). In thiscase, the charging station 30 may refrain from supplying electric powerto the battery 14 of the vehicle 10.

In a case where the SUM value of the data set DS is normal in step S142(“Y” in step S142), the section management unit 22 may determine thatthe certificate data DT (certificate data DTD) included in the data setDS is normal, and the communicator 21 may transmit the certificate dataDT to the charging station 30 (step S146).

The authentication unit 31 of the charging station 30 may performauthentication on the basis of the certificate data DT transmitted fromthe vehicle 10. In a case where the authentication succeeds, the powerfeed unit 32 may supply electric power to the battery 14 of the vehicle10. In this manner, electric power may be supplied to the battery 14 ofthe vehicle 10 (step S147).

(Data Verification Operation in Vehicle 10)

Each time the vehicle 10 starts up, for example, the monitoring unit 25of the security controller 20 may check whether the write processperformed by the security controller 20 has been interrupted, on thebasis of the update status STU and the data status STD stored in thestorage 23. In a case where the write process has been interrupted, themonitoring unit 25 may check at which stage the interruption hasoccurred, and determine whether a component malfunction or datatampering has occurred or a data write error has occurred. Thedetermination may be made on the basis of a result of the check, and thecertificate data DTU and the certificate data DTD stored in the storage23. The following description describes, in order, data verificationbased on the data of the update data section SECU, and data verificationbased on the data of the data section SECD.

FIGS. 6A and 6B illustrate an example of data verification operationperformed by the monitoring unit 25 on the basis of the data of theupdate data section SECU. In FIG. 6, “without data error” indicates thatthe SUM value is normal, and “with data error” indicates that the SUMvalue is abnormal.

For example, in a case where the update status STU is “undefined”, themonitoring unit 25 may determine that a component malfunction or datatampering has occurred. In other words, in this example, three statuses,i.e., “updating”, “being rewritten”, and “unassigned”, may be defined tobe able to be set as the update status STU. Therefore, the update statusSTU being none of the three statuses means that the update status STUitself has changed. Accordingly, the monitoring unit 25 may determinethat a component malfunction or data tampering has occurred.

In this case, the section management unit 22 may set the data status STDto “tampered with”, thereby locking the vehicle 10. The display 13 maydisplay that a component malfunction or data tampering has occurred, onthe basis of an instruction from the monitoring unit 25. In the lockedstate, the vehicle 10 may be unable to delete the data of the updatedata section SECU or re-update the certificate data DT by communicatingwith the charging station 30. The charging station 30 may be unable tounlock the vehicle 10, and only the management apparatus 40 may be ableto unlock the vehicle 10. In such a case, the driver (user) of thevehicle 10 may bring the vehicle 10 to a dealer. In a case of acomponent malfunction, the dealer may replace the component. Inaddition, the management apparatus 40 may communicate with the vehicle10 to update the certificate data DT stored in the vehicle 10 and resetthe data status STD. In a case of data tampering, the managementapparatus 40 may communicate with the vehicle 10 to update thecertificate data DT stored in the vehicle 10 and reset the data statusSTD. Thus forcibly writing certificate data DT to the vehicle 10 enablesthe management apparatus 40 to unlock the vehicle 10.

For example, in a case where the update status STU is “being rewritten”and the certificate data DTU includes a data error, the monitoring unit25 may determine that a write error has occurred, during data writing tothe update data section SECU.

In this case, the section management unit 22 may set the data status STDto “to be updated”. The display 13 may display that a write error hasoccurred, on the basis of an instruction from the monitoring unit 25. Inother words, in this case, the write process has been interrupted at astage where writing of certificate data DT to the update data sectionSECU has not been completed. It is therefore unlikely that thecertificate data DT has been tampered with, for example. Accordingly,the section management unit 22 may refrain from locking the vehicle 10.In such a case, the section management unit 22 may be able to delete thedata of the update data section SECU or re-update the certificate dataDT by communication with the charging station 30.

For example, in a case where the update status STU is “updating” and thecertificate data DTU includes a data error, the monitoring unit 25 maydetermine that a component malfunction or data tampering has occurred.In other words, in this case, the write process has been interruptedafter the writing of certificate data DT to the update data section SECUhas been completed. This means that there is a possibility that thecertificate data DTU has been tampered with, for example. Accordingly,the monitoring unit 25 may determine that a component malfunction ordata tampering has occurred.

In this case, the section management unit 22 may set the data status STDto “tampered with”, thereby locking the vehicle 10. The display 13 maydisplay that a component malfunction or data tampering has occurred, onthe basis of an instruction from the monitoring unit 25. In the lockedstate, the vehicle 10 may be unable to delete the data of the updatedata section SECU or re-update the certificate data DT by communicatingwith the charging station 30. The charging station 30 may be unable tounlock the vehicle 10, and only the management apparatus 40 may be ableto unlock the vehicle 10.

For example, in a case where the update status STU is “unassigned” andthe certificate data DTU includes a data error, the monitoring unit 25may determine that there is no problem. In other words, the updatestatus STU being “unassigned” means that the data error in thecertificate data DTU has occurred after the update of the certificatedata DT. Accordingly, the monitoring unit 25 may determine that there isno problem.

In this case, the section management unit 22 may be able to delete thecertificate data DTU stored in the update data section SECU. The sectionmanagement unit 22 may also be able to, for example, re-update thecertificate data DT by communication with the charging station 30.

For example, in a case where the update status STU is “being rewritten”and the certificate data DTU includes no data error, the monitoring unit25 may determine that a write error has occurred, during data writing tothe update data section SECU.

In this case, the section management unit 22 may set the data status STDto “to be updated”. The display 13 may display that a write error hasoccurred, on the basis of an instruction from the monitoring unit 25. Inother words, in this case, the write process has been interrupted at astage where writing of certificate data DT to the update data sectionSECU has not been completed. It is therefore unlikely that thecertificate data DT has been tampered with, for example. Accordingly,the section management unit 22 may refrain from locking the vehicle 10.In such a case, the section management unit 22 may be able to delete thedata of the update data section SECU or re-update the certificate dataDT by communication with the charging station 30.

For example, in a case where the update status STU is “updating” and thecertificate data DTU includes no data error, the monitoring unit 25 maydetermine that a write error has occurred in updating the data of thedata section SECD on the basis of the update data section SECU.

In this case, because the certificate data DTU of the update datasection SECU includes no data error, the section management unit 22 mayperform updating, i.e., updating the data of the data section SECD onthe basis of the update data section SECU. Consequently, the certificatedata DT may be normally written to the data section SECD, and the updatestatus STU may be set to “unassigned”; thus, the update of thecertificate data DT may be completed normally.

For example, in a case where the update status STU is “unassigned” andthe certificate data DTU includes no data error, the update of thecertificate data DT has been completed normally. Accordingly, themonitoring unit 25 may determine that there is no problem.

In this case, the section management unit 22 may be able to, forexample, delete the certificate data DTU stored in the update datasection SECU.

FIGS. 7A and 7B illustrate an example of data verification operationperformed by the monitoring unit 25 on the basis of the data of the datasection SECD.

For example, in a case where the data status STD is “normal” and thecertificate data DTD includes a data error, the monitoring unit 25 maydetermine that a write error has occurred.

In this case, because the certificate data DTD includes a data error,the section management unit 22 may make the certificate data DTDunavailable. This makes the charging station 30 unable to supplyelectric power to the battery 14 of the vehicle 10. The display 13 maydisplay that a write error has occurred, on the basis of an instructionfrom the monitoring unit 25. In a case where the update data sectionSECU includes no data error, the section management unit 22 is able toperform updating, i.e., updating the data of the data section SECD onthe basis of the update data section SECU. This enables the chargingstation 30 to charge the battery 14 of the vehicle 10.

For example, in a case where the data status STD is “to be updated” andthe certificate data DTD includes a data error, the monitoring unit 25may determine that a write error has occurred in updating the data ofthe data section SECD on the basis of the update data section SECU.

In this case, the display 13 may display that a write error hasoccurred. The section management unit 22 may be able to re-update thecertificate data DT by communication with the charging station 30. In acase where the certificate data DTU of the update data section SECUincludes no data error and the update status STU is “updating”, thesection management unit 22 may be able to perform updating, i.e.,updating the data of the data section SECD on the basis of the updatedata section SECU.

For example, in a case where the data status STD is “tampered with” andthe certificate data DTD includes a data error, the monitoring unit 25may determine that a component malfunction or data tampering hasoccurred.

In this case, because the data status STD is already “tampered with”,the vehicle 10 is in the locked state. The display 13 may display that acomponent malfunction or data tampering has occurred, on the basis of aninstruction from the monitoring unit 25. In the locked state, thevehicle 10 may be unable to delete the data of the update data sectionSECU or re-update the certificate data DT by communicating with thecharging station 30. The charging station 30 may be unable to unlock thevehicle 10, and only the management apparatus 40 may be able to unlockthe vehicle 10.

For example, in a case where the data status STD is “normal” and thecertificate data DTD includes no data error, the update of thecertificate data DT has been completed normally. Accordingly, themonitoring unit 25 may determine that there is no problem.

In this case, the certificate data DT is available. For example, thecharging station 30 is able to supply electric power to the battery 14of the vehicle 10.

For example, in a case where the data status STD is “to be updated” andthe certificate data DTD includes no data error, the monitoring unit 25may determine that a write error has occurred in updating the data ofthe data section SECD on the basis of the update data section SECU.

In this case, the display 13 may display that a write error hasoccurred. The section management unit 22 may be able to re-update thecertificate data DT by communication with the charging station 30. In acase where the certificate data DTU of the update data section SECUincludes no data error and the update status STU is “updating”, thesection management unit 22 may be able to perform updating, i.e.,updating the data of the data section SECD on the basis of the updatedata section SECU.

For example, in a case where the data status STD is “tampered with” andthe certificate data DTD includes a data error, the monitoring unit 25may determine that a component malfunction or data tampering hasoccurred.

In this case, because the data status STD is already “tampered with”,the vehicle 10 is in the locked state. The display 13 may display that acomponent malfunction or data tampering has occurred, on the basis of aninstruction from the monitoring unit 25. In the locked state, thevehicle 10 may be unable to delete the data of the update data sectionSECU or re-update the certificate data DT by communicating with thecharging station 30. The charging station 30 may be unable to unlock thevehicle 10, and only the management apparatus 40 may be able to unlockthe vehicle 10.

As described above, the security controller 20 is provided with theupdate data section SECU and the data section SECD. The sectionmanagement unit 22 causes the update data section SECU to store theupdate status STU, and the data section SECD to store the data statusSTD. In a state in which communication is disconnected, such as when thevehicle 10 is activated, the monitoring unit 25 verifies the certificatedata DTU and the certificate data DTD on the basis of the update statusSTU and the data status STD. This enables the monitoring unit 25 to, forexample, check interruption of a write process, on the basis of theupdate status STU and the data status STD. In a case where the writeprocess has been interrupted, it is possible for the monitoring unit 25to check at which stage the interruption has occurred, and determinewhether a component malfunction or data tampering has occurred or a datawrite error has occurred. The determination may be made on the basis ofa result of the check, and the certificate data DTU and the certificatedata DTD stored in the storage 23. This enables the security controller20 to determine whether a component malfunction or data tampering hasoccurred or a data write error has occurred, without performingcommunication between the vehicle 10 and an external apparatus.Consequently, it is possible for the security controller 20 to improvereliability of the certificate data DT.

In other words, in one conceivable method, for example, a vehiclecommunicates with an external apparatus, and verifies certificate dataDT by comparing the stored certificate data DT with certificate data DTtransmitted from the external apparatus. However in a case where amalicious third party has prepared the external apparatus, for example,it is difficult to accurately verify the certificate data DT.

In contrast, the security controller 20 according to the exampleembodiment verifies, in a state in which communication is disconnected,the certificate data DTU and the certificate data DTD on the basis ofthe update status STU and the data status STD. This enables the securitycontroller 20 to, for example, check interruption of a write process,and verify the certificate data DT on the basis of a result of thecheck, and the certificate data DTU and the certificate data DTD storedin the storage 23. Thus, in the example embodiment, it is possible forthe security controller 20 itself of the vehicle 10 to verify thecertificate data DT without performing communication between the vehicle10 and an external apparatus. Consequently, it is possible for thesecurity controller 20 to accurately verify the certificate data DT,which enables reliability of data (the certificate data DT) to beimproved.

The security controller 20 may also determine whether a componentmalfunction or data tampering has occurred or a data write error hasoccurred. Thus, in a case where a component malfunction or datatampering has occurred, for example, it is possible to receiveappropriate treatment, such as component replacement, by bringing thevehicle 10 to a dealer. In a case of a data write error, for example, itis possible to restore a normal state without bringing the vehicle 10 toa dealer. Consequently, it is possible for the security controller 20 toimprove convenience of the user.

Example Effects

As described above, in the example embodiment, the update data sectionand the data section are provided. The update data section stores theupdate status, and the data section stores the data status. In a statein which communication is disconnected, the certificate data is verifiedon the basis of the update status and the data status. This makes itpossible to improve reliability of the certificate data.

In the example embodiment, it may be determined whether a componentmalfunction or data tampering has occurred or a data write error hasoccurred. This makes it possible to improve convenience of the user.

Although some example embodiments of the technology have been describedin the foregoing, the technology is by no means limited to the exampleembodiments. Various changes and modifications may be made to anyembodiment without departing from the scope of the technology.

For example, although an example embodiment has been described above inwhich the technology is applied to the certificate data DT, data towhich the technology is applied is not limited to the certificate dataDT. Any embodiment of the technology is applicable to various data.

For example, although an example embodiment has been described above inwhich the technology is applied to the charging system, a use of thetechnology is not limited to the charging system. Any embodiment of thetechnology is applicable to uses other than charging.

The example effects described above are merely illustrative andnon-limiting. Any embodiment may achieve an effect other than theexample effects described above.

The security controller 20 illustrated in FIG. 1 is implementable bycircuitry including at least one semiconductor integrated circuit suchas at least one processor (e.g., a central processing unit (CPU)), atleast one application specific integrated circuit (ASIC), and/or atleast one field programmable gate array (FPGA). At least one processoris configurable, by reading instructions from at least one machinereadable non-transitory tangible medium, to perform all or a part offunctions of the security controller 20. Such a medium may take manyforms, including, but not limited to, any type of magnetic medium suchas a hard disk, any type of optical medium such as a CD and a DVD, anytype of semiconductor memory (i.e., semiconductor circuit) such as avolatile memory and a non-volatile memory. The volatile memory mayinclude a DRAM and an SRAM, and the nonvolatile memory may include a ROMand an NVRAM. The ASIC is an integrated circuit (IC) customized toperform, and the FPGA is an integrated circuit designed to be configuredafter manufacturing in order to perform, all or a part of the functionsof the security controller 20 illustrated in FIG. 1.

Although the technology is described hereinabove in terms of exampleembodiments, it is not limited thereto. It should be appreciated thatvariations may be made in the described example embodiments by personsskilled in the art without departing from the scope of the technology asdefined by the following claims. The limitations in the claims are to beinterpreted broadly based on the language employed in the claims and notlimited to examples described in this specification or during theprosecution of the application, and the examples are to be construed asnon-exclusive. For example, in this technology, the use of the termsfirst, second, etc. do not denote any order or importance, but ratherthe terms first, second, etc. are used to distinguish one element fromanother. The term “disposed on/provided on/formed on” and its variantsas used herein refer to elements disposed directly in contact with eachother or indirectly by having intervening structures therebetween.Moreover, no element or component in this technology is intended to bededicated to the public regardless of whether the element or componentis explicitly recited in the following claims.

The invention claimed is:
 1. A data verification apparatus comprising: astorage including a first storage and a second storage, the firststorage being configured to store first data and first statusinformation, the second storage being configured to store second dataand second status information; a management unit configured to control awrite process and update the first status information and the secondstatus information in response to the write process, the write processbeing a process of writing the first data to the first storage on abasis of data acquired by communication with an external apparatus, andthereafter writing the second data to the second storage on a basis ofthe data; and a verification unit configured to verify, in a state inwhich the communication is disconnected, the first data and the seconddata on a basis of the first status information and the second statusinformation.
 2. The data verification apparatus according to claim 1,wherein, in the state in which the communication is disconnected, theverification unit is configured to check whether the write process hasbeen interrupted on a basis of the first status information and thesecond status information and, on a condition that the write process hasbeen interrupted, check at which stage the interruption has occurred,and verify the first data and the second data on a basis of a checkresult as to at which stage the interruption has occurred.
 3. The dataverification apparatus according to claim 2, wherein, in the state inwhich the communication is disconnected, the verification unit isconfigured to determine whether data tampering or a write error hasoccurred for each of the first data and the second data, on a basis ofthe check result, the first data, and the second data.
 4. The dataverification apparatus according to claim 3, wherein the management unitis configured to set the first status information to a first statusbefore writing the first data to the first storage, set the first statusinformation to a second status after writing the first data to the firststorage, write the second data to the second storage, and set the firststatus information to a third status, on a condition that the seconddata in the second storage and the first data in the first storage matcheach other.
 5. The data verification apparatus according to claim 4,wherein, in the state in which the communication is disconnected, theverification unit is configured to determine that the write error hasoccurred on a condition that the first status information is the firststatus.
 6. The data verification apparatus according to claim 4,wherein, in the state in which the communication is disconnected, theverification unit is configured to determine that the data tampering hasoccurred on a condition that the first status information is the secondstatus and that the first data includes an error.
 7. The dataverification apparatus according to claim 1, wherein the management unitis configured to set the second status information to a fourth status ona condition that the second data already written to the second storageincludes an error, before writing the first data to the first storage,set the second status information to a fifth status after writing thefirst data to the first storage, write the second data to the secondstorage, and set the second status information to a sixth status on acondition that the second data in the second storage and the first datain the first storage match each other.
 8. The data verificationapparatus according to claim 7, wherein the verification unit isconfigured to check, in the state in which the communication isdisconnected, whether the first data written to the first storageincludes an error and whether the second data written to the secondstorage includes an error, and the management unit is configured towrite the second data to the second storage again on a basis of thefirst data written to the first storage, on a condition that the secondstatus information is the fifth status, that the second data includesthe error, and that the first data includes no error.
 9. A dataverification apparatus comprising: a storage including a first storageand a second storage, the first storage being configured to store firstdata and first status information, the second storage being configuredto store second data and second status information; and circuitryconfigured to control a write process and update the first statusinformation and the second status information in response to the writeprocess, the write process being a process of writing the first data tothe first storage on a basis of data acquired by communication with anexternal apparatus, and thereafter writing the second data to the secondstorage on a basis of the data, and verify, in a state in which thecommunication is disconnected, the first data and the second data on abasis of the first status information and the second status information.